Re: Multiple websites in one IIS with Integrated Windows Authentication

Hi,

You have two options:
a) Configure IIS to send NTLM only for that website - at the moment IIS is
sending both Negotiate (Kerberos) and NTLM as available authentication
mechanisms to the client, and the client is choosing Kerberos

b) If you wisht to use Kerberos rather than NTLM, then you will need to
register an SPN (Service Principal Name) for the FQDN of the website you are
accessing. If the website is running in a web app pool that is running under
LocalSystem/Network Service, then register the SPN under the IIS server's
machine account. If the web app pool is running under a custom account, then
register the SPN under the user account that is being used as the process
identity for the web app pool.

Cheers
Ken


"ramram49" <ramram49.2fetke@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ramram49.2fetke@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi Ken,

Yes..I am logging on using domain\username format.

On the DC, there is such system error logged:

Source: Kerberos
Event ID: 4

Description: The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server host/hcl-intranet.mydomain.com. The target name used
was HTTP/hkg-intranet.mydomain.com. This indicates that the password
used to encrypt the kerberos service ticket is different that that on
the target server. Commonly, this is due to identically named machine
accounts in the target realm (MYDOMAIN.COM), and the client realm.
Please contact your system administrator.com

Kindly give me some more hints..^^

Ken Schaefer wrote:
[B]You can have as many sites as you want using IWA and domain based
credentials.

Something else is wrong in your setup. Are you logging on using
Domain\Username?

Cheers
Ken





--
ramram49
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1693270.html



.

Relevant Pages

  • Re: Cannot resolve KDC error 11
    ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
    (microsoft.public.windows.server.sbs)
  • RE: Correct Domain User/Pass/Domain credentials rejected
    ... Authentication" checked vs. unchecked is that if it's unchecked, ... use NTLM or Kerberos, and Kerberos usually ends up being the winner. ... you can force IIS to only use NTLM: ...
    (microsoft.public.inetserver.iis.security)
  • RE: IIS Intermittent access forbidden
    ... hosting machine that is running IIS via Internet Explorer or browse ... A important point in your new thread is you are using host header ... methods - Kerberos and NTLM. ... IE and IIS may either choose NTLM ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows Auth -- double hop issue??
    ... But we are not talking about Kerberos, ... but I think that Integrated Windows authentication does ... resource on the same machine using NTLM, ... disabled in IIS, and HTTP request does not leave machine boundaries, ...
    (microsoft.public.dotnet.security)
  • Re: Windows Auth -- double hop issue??
    ... But we are not talking about Kerberos, ... but I think that Integrated Windows authentication does ... resource on the same machine using NTLM, ... disabled in IIS, and HTTP request does not leave machine boundaries, ...
    (microsoft.public.dotnet.framework.aspnet.security)